メインコンテンツまでスキップ
Sumo Logic Japanese

Cisco ASA アプリケーションのログの収集

このページでは、Cisco ASA アプリケーションのログ収集を設定する手順を説明し、ログ ファイルと FER (Field Extraction Rules) の例を示します。

このページでは、Cisco ASA アプリケーションのログ収集を設定する手順を説明し、ログ ファイルと FER (Field Extraction Rules) の例を示します。

前提条件

syslog サーバにログを送信するように ASA を設定します。ASA は、デフォルトでは UDP ポート 514 で syslog を送信しますが、プロトコルとポートは変更できます。

Cisco ASA アプリケーションのログ収集の設定

ログの収集を設定するには、次の手順を実行します。

  1. ホスト環境に合わせて Installed Collector を設定します。

  2. ASA が使用しているものと同じポートとプロトコルに Syslog Source を設定します。

サンプル ログ

Tue Aug 15 23:30:09 %ASA-6-302016: Teardown UDP connection 40 for outside:44.44.4.4/500 to inside:44.44.2.2/500 duration 0:02:02 bytes 1416

FER (Field Extraction Rules) 

この FER (Field Extraction Rules) は、全体の parse 時間を削減するための例として提供されています。すべての parse オペレーションが FER でサポートされているわけではありません。詳細については、「FER (Field Extraction Rules) の作成」を参照してください。

| parse regex "(?<protocol>TCP|tcp|UDP|udp|ICMP|icmp)" nodrop
| parse regex "%[\w-]+(?<log_level>\d)-(?<message_id>\d{6})" nodrop
| parse regex "bytes\s(?<bytes_in>\d*)" nodrop
| parse regex "(?<direction>[i|I]nbound|[O|o]utbound)" nodrop
| parse regex "(?:\(type\s(?<icmp_type>[^,]+),\scode\s(?<icmp_code>[^\)]+)\))?\s+by\s+access-group\s+\"\+(?<rule_name>[^\"]+)" nodrop
| parse regex "(?i)icmp\s*type=(?<icmp_type>\d+)" nodrop
| parse regex "\d{2}:\d{2}:\d{2}(?:\-\d{2}:\d{2})?\s(?<dvc>[^\s]+)" nodrop
| parse regex "(?<src_translated_ip>(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)/(?:\d+)\)\s(?<src_translated_port>to|dst)\s" nodrop
| parse regex "\s+(?:to|dst(?! user)) (?:(?<dest_zone>\S+):)[\w-]*?(?<dest_ip>\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})(?:\/(?<dest_port>\d+))?\s*(?:\(?(?<dest_translated_ip>\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})?\/?(?<dest_translated_port>\d+)?\))?\s*(?:\((?:(?<dest_nt_domain>[\S^\\]+)\\)?(?<dest_user>[\w\-_]+)\))?" nodrop
| parse regex "\s(?:for|from|src)\s+(?:(?<src_zone>\S+):)?(?<src_ip>[\d\.]+)\/(?<src_port>\d+)\s+(?:to|dst)\s+(?:(?<dest_zone>[^:]+):)?(?<dest_ip>[\d\.]+)\/(?<dest_port>\w+)\s+" nodrop
| parse regex "\s+[Aa]ddress\s*(?<dest_ip>\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})(?:/(?<dest_port>\d+))?\s*[Dd]iscovered\s*for\s*domain\s*(?<dest_nt_domain>[\S]+)" nodrop
| parse regex "\s+(?:to|dst(?! user)) (?:(?<dest_zone>[^\/]+)\/)?(?<dest_ipv6>(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)(?:\/(?<dest_port>\S+))?\s*" nodrop
| parse regex "\s(?:to|dest)\s(?:[a-f|A-F|0-9|:]+)(?:\/\S+)?\s*\((?<dest_translated_ip>(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)(?:\/(?<dest_translated_port>\S+))?\)" nodrop
| parse regex "\sfaddr (?:(?<dest_zone>\S+):)?(?<dest_ip>\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})(?:\/(?<dest_port>\d+))?\s*(?:\((?:(?<dest_nt_domain>[^\\]+)\\)?(?<dest_user>[^\)]+)\))?" nodrop
| parse regex "\sfaddr\s(?:(?<dest_zone>[^\/]+)\/)?(?<dest_ipv6>(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)\/?(?<dest_port>\d*)" nodrop
| parse regex "\sladdr (?:(?<src_zone>\S+):)?(?<src_ip>\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})(?:\/(?<src_port>\S+))?\s*" nodrop
| parse regex "\sladdr\s(?:(?<src_zone>[^\/]+)\/)?(?<src_ipv6>(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)\/?(?<src_port>\d*)" nodrop
| parse regex "\sgaddr (?<src_public_ip>\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})\/?(?<src_public_port>\d*)" nodrop
| parse regex "\sgaddr (?<src_public_ip>(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)\/?(?<src_public_port>\d*)" nodrop
| parse regex "(?:(?<src_zone>\S+)\/)?(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\((?<src_port>\d*)\)\s\->\s(?:(?<dest_zone>\S+)\/)?(?<dest_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\((?<dest_port>\d*)\)" nodrop
| parse regex "\s+(?:from|for|src(?! user)) (?:(?<src_zone>[^\/]+)\/)?(?<src_ipv6>(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)(?:\/(?<src_port>\S+))?\s*" nodrop
| parse regex "\s\->\s(?:(?<dest_zone>\S+)\/)?(?<dest_ipv6>(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{0,4}|:[0-9A-Fa-f]{1,4})?|(?::[0-9A-Fa-f]{1,4}){0,2})|(?::[0-9A-Fa-f]{1,4}){0,3})|(?::[0-9A-Fa-f]{1,4}){0,4})|:(?::[0-9A-Fa-f]{1,4}){0,5})(?:(?::[0-9A-Fa-f]{1,4}){2}|:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])(?:\.(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9])?[0-9])){3})|(?:(?:[0-9A-Fa-f]{1,4}:){1,6}|:):[0-9A-Fa-f]{0,4}|(?:[0-9A-Fa-f]{1,4}:){7}:)\((?<dest_port>\d*)\)" nodrop
| parse regex "%ASA-\d-400\d+\sIPS:(?<signature_id>\d{4})\s(?<signature>.*)\sfrom" nodrop
| parse regex "access[\s-]group\s[\(\"]?(?<acl>[^\s\"\)]+)" nodrop
| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})\s+(?<vendor_action>\S+)\s+(?:url|URL)\s+(?<dest_ip>\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})\s*:\s*(?<url>\S*)" nodrop
| parse regex "threat-level\s*:\s*(?<vendor_severity>[^\s,]+)[\s,]+category\s*:\s*(?<vendor_category>[^\s,]+)" nodrop
| parse regex "(?<action>[Aa]uthentication [Ss]ucceeded|[Aa]uthorization [Pp]ermitted|authentication Successful|passed authentication|Login permitted|Authentication failed|Authorization denied|Can't find authorization|Authentication Failed|authentication Rejected|credentials rejected|Authentication:Dropping|login warning|login failed|failed authentication|[Cc]onnection denied|Deny inbound|Deny|Terminating|action locally|Unable to Pre-allocate|denied\s[tcp|udp|icmp]+|access denied|access requested|access permitted|limit exceeded|Dropped|Dropping|[B|b]uilt|[pP]ermitted|whitelisted|Pre-allocated|Rebuilt|redirected|discarded)" nodrop
| parse regex "(?<action>Teardown\s[A-Z]{3,4})\sconnection" nodrop
| parse regex "%ASA-\d-\d+: (?<msg>.+)" nodrop
| parse regex "\sconnection (?<session_id>\d+)" nodrop
| parse regex "access-list (?<rule>[^\s]+)" nodrop
| parse regex "[Dd]uration:?\s*(?:(?<duration_day>\d+)[dD])?\s*(?<duration_hour>\d+)[Hh]?:(?<duration_minute>\d+)[Mm]?:(?<duration_second>\d+)[Ss]?" nodrop
| parse regex "[Gg]roup\s+(?:=\s+)?(?<group>[^\s,]+)" nodrop
| parse regex "User <(?<user>\S+)>" nodrop
| parse regex "IP <(?<src_ip>\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})>" nodrop
| parse regex "[Tt]unnel[Gg]roup\s+(?:=\s+)?(?<tunnelgroup>[^\s,]+)" nodrop | parse regex "Bytes xmt: (?<bytes_out>\d+), Bytes rcv: (?<bytes_in>\d+), Reason: (?<reason>.+)" nodrop
| parse regex "Authentication: (?<action>\S+)," nodrop
| parse regex "Session Type: (?<type>\S+)," nodrop
| parse regex "user-identity: (?<method>Add|Delete) (\S+) mapping (?<src_ip>\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3}) - (?<user>\S+) (?<action>\S+) - (?<reason>.+)" nodrop
| parse regex "[Aa]ddress\s\<?(?<assigned_ip>\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})\>?\s" nodrop
| parse regex "DAP: User (?<user>\S+), Addr (?<src_ip>\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})" nodrop
| parse regex "Connection (?<type>\S+), (?<dap_message>.+)" nodrop
| parse regex "acl\s*=\s*(?<acl>[^,\s\)]+)" nodrop
| parse regex "[gG]roup\s*=\s*(?<group>[^,\s\)]+)" nodrop
| parse regex "(?:[uU]sername|[uU]ser)\s*=\s*(?<user>[^,\s\)]+)" nodrop
| parse regex "msgid\s*=\s*(?<msgid>[^,\s\)]+)" nodrop
| parse regex "[Oo]utbound\s+\S+\s+connection\s+\d+\s+for\s+\S+\s*:\s*(?<dest_ip>[^\s\/\(]+)(?:\/(?<dest_port>\w+))?(?:\((?<dest_user>\S+)\))?\s*\(?(?<dest_translated_ip>[^\s\/\(]+)?\/?(?<dest_translated_port>\d+)?\)?\s+to\s+[^:]+:\s*(?<src_ip>[^\s\/\(]+)(?:\/(?<src_port>\w+))?(?:\((?<src_user>\S+)\))?\s*\(?(?<src_translated_ip>[^\s\/\(]+)?\/?(?<src_translated_port>\d+)?\)?"

  • この記事は役に立ちましたか?